Authorization Roles Configuration Parameters
The [AuthorizationRoles]
section contains definitions for roles that enable particular sets of actions for particular clients, SSL identities, and GSS principals.
You must create a subsection for each authorization role that you define in the [AuthorizationRoles]
configuration section.
You define the permissions that a particular role has by using StandardRoles, or by specifying the Actions and ServiceActions that you want the role to be able to use. You define the users that belong to a particular role by using Clients, GSSPrincipals, and SSLIdentities.
If a connection matches one of the allowed clients, principals, or SSL identities, they have permission to perform the operations allowed by the role.
For example:
[AuthorizationRoles] 0=AdminRole 1=IDOLUserRole 2=StatusOnlyRole [AdminRole] StandardRoles=Admin,ServiceControl Clients=localhost SSLIdentities=admin.example.com GSSPrincipals=CONTENT01/admin.example.com@EXAMPLE.COM [IDOLUserRole] StandardRoles=Query,ServiceStatus SSLIdentities=admin.example.com,userserver.example.com GSSPrincipals=CONTENT01/admin.example.com@EXAMPLE.COM,CONTENT02/userserver.example.com@EXAMPLE.COM [StatusOnlyRole] ServiceActions=GetStatus SSLIdentities=general.example.com
You can use the ShowPermissions action to check the permissions for a user.
IMPORTANT: Make sure that you delete any deprecated RoleClients
parameters from your configuration (where Role
corresponds to a standard role name) to ensure License Server allows only your authorization role permissions.